Commentary

NAI To Probe Epic Marketplace's 'History-Sniffing' Techniques

Several years ago, before renaming itself Epic Advertising, the online ad company then known as AzoogleAds agreed to pay $1 million to settle a probe by the Florida Attorney General relating to allegedly deceptive offers for "free" ringtones.

This week the company is again under scrutiny for pushing the online-advertising envelope. Stanford researcher Jonathan Mayer on Tuesday published research showing that the company's ad-targeting network, Epic Marketplace, uses history-sniffing techniques to discover information about users' prior Web activity.

History-sniffing exploits the fact that some browsers change the color of links that users have visited. Ad networks and other Web companies can take advantage of that coding to determine which sites users have previously navigated to.

For its part, Epic doesn't deny that it uses history-sniffing. On the contrary, the company (now called Epic Media Group) argues that the technique "provides companies with a way to measure the accuracy of the data that a company purchases from data vendors without compromising consumer privacy."

Epic says it doesn't capture exact URLs, but uses information about people's Web history to confirm that they are in the right marketing segments. The company also says that it doesn't collect so-called "personally identifiable information." Epic says it stops collecting data used to verify segments when users opt out of online behavioral targeting.

Privacy experts, however, regard Epic's activities as extremely questionable. Jules Polonetsky, director and co-chair of the industry-funded think tank Future of Privacy Forum, calls Epic's history-sniffing "highly inappropriate," adding that it is likely to draw Federal Trade Commission scrutiny.

Polonetsky rightly points out that there's a difference between dynamically capturing information about the sites people visit and examining users' browsers after the fact to determine where they previously went online.

"It's one thing to log information about a user when they visit a site you're at," he says. "It's another thing to say, 'I have the right to get your browser to disgorge information about where you've been.' "

Polonetsky adds: "It's like snooping and saying, 'I could have seen you on the street, so I have the right to read in your diary about where you went.' "

Epic's own privacy policy arguably indicates that the company gathers data when users visit sites, and not after-the-fact. The policy says that Epic "automatically receives and records anonymous information that your browser sends whenever you visit a website which is part of the Epic Marketplace Network." Certainly nothing in that language suggests that the company is engaging in history-sniffing.

Industry self-regulatory standards are technology-neutral, so they don't deal with history-sniffing per se. The Network Advertising Initiative -- of which Epic is a member -- hasn't yet addressed the latest revelations, but executive director Charles Curran says the group "has initiated a review of all the facts" relating to Mayer's report.

Several months ago, even before the recent revelations about Epic, the Center for Democracy & Technology warned that companies using history-sniffing were at risk for an FTC enforcement action. "Taking advantage of a security hole by embedding hidden urls in a Web site to snoop through a visitor's history file has all the markings of a Section 5 claim --- either as a deceptive practice or under the FTC's unfairness authority," the CDT's Justin Brookman wrote.

Given the increased attention devoted to online privacy these days, Epic could well find itself defending its practices to the FTC.

Next story loading loading..